CompTIA CySA+ Practice Tests. Mike Chapple
Читать онлайн книгу.foundry attacksSide-channel attacksPrimary channel attacksUntrusted foundry attacks
150 What key functionality do enterprise privileged account management tools provide?Password creationAccess control to individual systemsEntitlement management across multiple systemsAccount expiration tools
151 Amira wants to deploy an open standard–based single sign-on (SSO) tool that supports both authentication and authorization. What open standard should she look for if she wants to federate with a broad variety of identity providers and service providers?LDAPSAMLOAuthOpenID Connect
152 Nathaniel wants to use an access control system that takes into account information about resources like the resource owner, filename, and data sensitivity. What type of access control system should he use?ABACDACMACRBAC
153 What secure processing technique requires an operation to be complete before the memory locations it is accessing or writing to can be used by another process?Trusted executionAtomic executionAnti-tamperBus encryption
154 Betty wants to review the security logs on her Windows workstation. What tool should she use to do this?Secpol.mscEvent ViewerLog ViewerLogview.msc
155 What type of attack is the use of query parameterization intended to prevent?Buffer overflowsCross-site scriptingSQL injectionDenial-of-service attacks
156 Isaac is configuring syslog on a Linux system and wants to send the logs in a way that will ensure that they are received. What protocol should he specify to do so?UDPHTTPHTTPSTCP
157 Bob wants to deploy a VPN technology with granular access controls for applications that are enforced at the gateway. Which VPN technology is best suited to this requirement?IKE VPNsTLS VPNsX.509 VPNsIPsec VPNs
158 What type of attack is output encoding typically used against?DoSXSSXMLDDoS
159 Alaina wants to identify only severe kernel issues on a Linux system, and she knows that log levels for the kernel range from level 0 to level 7. Which of the following levels is the most severe?Level 1, KERN_ALERTLevel 2, KERN_CRITLevel 4, KERN_WARNINGLevel 7, KERN_DEBUGUse the following scenario for questions 160–162.Scott has been asked to select a software development model for his organization and knows that there are a number of models that may make sense for what he has been asked to accomplish. Use your knowledge of SDLC models to identify an appropriate model for each of the following requirements.
160 Scott's organization needs basic functionality of the effort to become available as soon as possible and wants to involve the teams that will use it heavily to ensure that their needs are met. What model should Scott recommend?WaterfallSpiralAgileRapid Application Development
161 A parallel coding effort needs to occur; however, this effort involves a very complex system and errors could endanger human lives. The system involves medical records and drug dosages, and the organization values stability and accuracy over speed. Scott knows the organization often adds design constraints throughout the process and that the model he selects must also deal with that need. What model should he choose?WaterfallSpiralAgileRapid Application Development
162 At the end of his development cycle, what SDLC phase will Scott enter as the new application is installed and replaces the old code?User acceptance testingTesting and integrationDispositionRedesign
163 Sofía wants to ensure that the ICs in the new device that her commercial consumer products company is releasing cannot be easily reverse engineered. Which technique is not an appropriate means of meeting her requirement?Use a trusted foundry.Encase the IC in epoxy.Design the chip to zeroize sensitive data if its security encapsulation fails.Design the chip to handle out of spec voltages and clock signals.
164 Charles is reviewing the certificate properties for the certificate for www.comptia.org and notices that the DNS name readsDNS name = *.comptia.org DNS name = comptia.orgWhat type of certificate is in use?A multidomain certificateA wildcard certificateA mismatched certificateAn invalid certificate
165 Alaina wants to implement a modern service-oriented architecture (SOA) that relies on HTTP-based commands, works well in limited bandwidth environments, and can handle multiple data formats beyond XML. What should she build her SOA in?SOAPWaterfallRESTCAVE
166 The OWASP Session Management Cheatsheet advises that session IDs are meaningless and recommends that they should be used only as an identifier on the client side. Why should a session ID not have additional information encoded in it like the IP address of the client, their username, or other information?Processing complex session IDs will slow down the service.Session IDs cannot contain this information for legal reasons.Session IDs are sent to multiple different users, which would result in a data breach.Session IDs could be decoded, resulting in data leakage.
167 Nia's honeynet shown here is configured to use a segment of unused network space that has no legitimate servers in it. What type of threats is this design particularly useful for detection?Zero-day attacksSQL injectionNetwork scansDDoS attacks
168 Bounds checking, removing special characters, and forcing strings to match a limited set of options are all examples of what web application security technique?SQL injection preventionInput validationXSS preventionFuzzing
169 Abigail is performing input validation against an input field and uses the following regular expression:^(AA|AE|AP|AL|AK|AS|AZ|AR|CA|CO|CT|DE|DC|FM|FL|GA|GU| HI|ID|IL|IN|IA|KS|KY|LA|ME|MH|MD|MA|MI|MN|MS|MO|MT|NE| NV|NH|NJ|NM|NY|NC|ND|MP|OH|OK|OR|PW|PA|PR|RI|SC|SD|TN| TX|UT|VT|VI|VA|WA|WV|WI|WY)$What is she checking with the regular expression?She is removing all typical special characters found in SQL injection.She is checking for all U.S. state names.She is removing all typical special characters for cross-site scripting attacks.She is checking for all U.S. state name abbreviations.
170 Adam is testing code written for a client-server application that handles financial information and notes that traffic is sent between the client and server via TCP port 80. What should he check next?If the server stores data in unencrypted formIf the traffic is unencryptedIf the systems are on the same networkIf usernames and passwords are sent as part of the traffic
171 Nick wants to prevent unauthorized firmware from being installed on devices that his organization manufacturers. What technique should he use to provide an effective security layer?Encrypted firmwareSigned firmwareBinary firmwareNone of the above
172 A web server and a web browser are examples of what type of platform?EmbeddedFirmwareClient-serverSOC
173 Lara has been assigned to assess likely issues with an embedded system used for building automation and control. Which of the following software assurance issues is least likely to be of concern for her organization?Lack of updates and difficulty deploying themLong life cycle for the embedded devicesAssumptions of network security where deployedUse of proprietary protocols
174 Lucca wants to prevent brute-force attacks from succeeding against a web application. Which of the following is not a commonly implemented solution to help reduce the effectiveness of brute-force attacks?Multifactor authenticationAccount lockoutsPassword reuseCAPTCHAs
175 Noam wants to ensure that he would know if the operating system, boot loader, and boot drivers of his PC were infected with malware. What type of boot process should he use to have it checked using a cryptographic hash?Manual boot hash comparisonSecure BootTPMbootsec
176 Jennifer uses an application to send randomized data to her application to determine how it responds to unexpected input. What type of tool is she using?A UAT toolA stress testing toolA fuzzerA regression testing tool
177 Isaac wants to securely handle passwords for his web application. Which of the following is not a common best practice for password storage?Use a dedicated password hash like bcrypt.Use a salt.Store passwords in an encrypted form.Set a reasonable work factor for your system.
178 Kristen wants to securely store passwords and knows that a modern password hashing algorithm is her best option. Which of the following should she choose?SHA-256bcryptMD5SHA-512
179 Liam wants to protect data at rest in an SaaS service. He knows that he needs to consider his requirements differently in his cloud environment than an on-premises environment. What option can he use to ensure that the data is encrypted when